You can migrate keys from an existing Java KeyStore (JKS) to Key Trustee Server to improve security, durability, and scalability. If you are using the Java KeyStore KMS service, and want
to use Key Trustee Server as the backing key store for HDFS Transparent Encryption, use the
following procedure.

This procedure assumes that the Java KeyStore (JKS) is on the same host as the new Key Trustee KMS service.

Stop the Java KeyStore KMS service.

Add and configure the Key Trustee KMS service, and configure HDFS to use it for its KMS Service setting. For more information about how to install Key
Trustee KMS, see Installing Key Trustee KMS. Restart the HDFS service and redeploy client
configuration for this to take effect: Home > Cluster-wide > Deploy Client Configuration

Monitor /var/log/kms-keytrustee/kms.log and /var/log/kms-keytrustee/kms-catalina.<date>.log to verify that the migration is successful. You can also run sudo -u <key_admin> hadoop key list to verify that
the keys are listed.

After you have verified that the migration is successful, remove the safety valve entry used in step 3 and restart the Key Trustee KMS service.

If this documentation includes code, including but not limited to, code examples, Cloudera makes this available to you under the terms of the Apache License, Version 2.0, including any required
notices. A copy of the Apache License Version 2.0 can be found here.